File name: | pdf.vbs |
Full analysis: | https://app.any.run/tasks/b933d202-bc5c-4473-8c4a-9bc56b40a71b |
Verdict: | Malicious activity |
Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
Analysis date: | July 17, 2019, 07:57:46 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators |
MD5: | F976C522799CB8F6588DA23253C2F6CD |
SHA1: | 6526E30138A9EF4FBFAD6A55F5DBD236C32346CE |
SHA256: | A54C5C570DFBF3C738D43E0B8D3CBE17F7B2D34106196564F47187EB0CAABA4E |
SSDEEP: | 49152:ayPdrWgGZi9pU9Ui7rtKh3IHhr3rW1GZgDILfLAwq20B6LSI:u |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3500 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\pdf.vbs" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
864 | "C:\Users\admin\AppData\Local\Temp\file1name.exe" | C:\Users\admin\AppData\Local\Temp\file1name.exe | WScript.exe | |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Update Setup Version: ... | ||||
2324 | "C:\Users\admin\AppData\Local\Temp\file2name.exe" | C:\Users\admin\AppData\Local\Temp\file2name.exe | WScript.exe | |
User: admin Company: tpmvscmgr Integrity Level: MEDIUM Description: cemapi Version: 216.738.813.879 | ||||
4020 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | file2name.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 2.0.50727.5420 (Win7SP1.050727-5400) | ||||
1500 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | file1name.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 2.0.50727.5420 (Win7SP1.050727-5400) | ||||
3020 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2240 | REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f | C:\Windows\system32\REG.exe | — | RegAsm.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1488 | REG add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f | C:\Windows\system32\REG.exe | — | RegAsm.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2592 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\system32\taskmgr.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
4020 | RegAsm.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dat | text | |
MD5:B3B72FB27E76D9FADF14E8E03C4B2AFD | SHA256:584AE2F3846618CCE46C52D29719447185FE29A5A5B6AF8B4111F50E56538809 | |||
2324 | file2name.exe | C:\Users\Public\RRzkLShOyE.vbs | text | |
MD5:7C0373B50E0B67457603DDB9293B12E8 | SHA256:98490123E2571E07DC8F69E54496821FE9CA5DEA8710C0DFEADEA4806DA10BD5 | |||
864 | file1name.exe | C:\Users\Public\yXlEoUtolf.vbs | text | |
MD5:8E30403FD947849B9FDE3EB4E9EFCE75 | SHA256:5881000C89E75E504CE52B7FEA9128181D7A670DA8356E9AF19E0DDB89ADB227 | |||
3500 | WScript.exe | C:\Users\admin\AppData\Local\Temp\file2name.exe | executable | |
MD5:BF345FB6DCB1C23A6CA4D1955E23AD50 | SHA256:19B54AF5E4E7A50AE550F42BB858E64E640CCB1E7AC854DBAC230BFE6C6BBDAC | |||
2324 | file2name.exe | C:\Users\admin\AppData\Roaming\TsWpfWrp\bidispl.bat | executable | |
MD5:183A5D8B11B3954B1D400AA225CDB8F5 | SHA256:439366B6E68ACA2FEC416BCACF8B8AA6E042BE6A7EFF1DDB4F8BF8FD44333795 | |||
1500 | RegAsm.exe | C:\Users\admin\AppData\Local\Temp\636989507458007500_3c046ad7-81c2-4f55-9be0-da8a26455f50.db | sqlite | |
MD5:0B3C43342CE2A99318AA0FE9E531C57B | SHA256:0CCB4915E00390685621DA3D75EBFD5EDADC94155A79C66415A7F4E9763D71B8 | |||
3500 | WScript.exe | C:\Users\admin\AppData\Local\Temp\file1name.exe | executable | |
MD5:4048545B1868F3C8A7A3BDE8ED3E3307 | SHA256:5B2A28463C0E1A25FA55DB253377BF199F7A29B2B43656F7C20DCA06E6EADF52 | |||
864 | file1name.exe | C:\Users\admin\AppData\Roaming\RuntimeBroker\SystemPropertiesRemote.bat | executable | |
MD5:F48454F4967C042BFF27ADC2CDAB07C7 | SHA256:13D8BF768AF08ABAE74BE6DB667822F6BD29440765DD162743B55EE086AA7F1B | |||
4020 | RegAsm.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\catalog.dat | bs | |
MD5:9E7D0351E4DF94A9B0BADCEB6A9DB963 | SHA256:AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757 | |||
4020 | RegAsm.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\settings.bin | binary | |
MD5:4E5E92E2369688041CC82EF9650EDED2 | SHA256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1500 | RegAsm.exe | GET | 200 | 18.211.215.84:80 | http://checkip.amazonaws.com/ | US | text | 16 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1500 | RegAsm.exe | 18.211.215.84:80 | checkip.amazonaws.com | — | US | shared |
4020 | RegAsm.exe | 8.8.8.8:53 | — | Google Inc. | US | whitelisted |
4020 | RegAsm.exe | 69.197.188.187:30303 | — | WholeSale Internet, Inc. | US | malicious |
1500 | RegAsm.exe | 185.159.131.4:587 | mail.thetexeperts.com | IT Outsourcing LLC | RU | malicious |
4020 | RegAsm.exe | 96.47.239.239:30303 | justgo.linkpc.net | QuadraNet, Inc | US | malicious |
Domain | IP | Reputation |
---|---|---|
dns.msftncsi.com |
| shared |
checkip.amazonaws.com |
| shared |
justgo.linkpc.net |
| malicious |
mail.thetexeperts.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1500 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] AgentTesla IP Check |
4020 | RegAsm.exe | A Network Trojan was detected | ET TROJAN Possible NanoCore C2 60B |
1500 | RegAsm.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
4020 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
4020 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
4020 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
4020 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
4020 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
4020 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
4020 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |